veracode static scan
Runs a Veracode Static Analysis scan and outputs any flaws found as a JSON file. This command returns exit code 3 if any flaws are found matching the specified criteria.
Syntax
veracode static scan <file_path> [flags]
Arguments
| Argument | Description |
|---|---|
file_path | Location of the package file that contains your application source code. Ensure the file meets the packaging requirements. |
Flags
| Flag | Description |
|---|---|
--app-id | Application profile ID for the application you want to upload and scan. |
--baseline-file | Location of a JSON file with results from a previous scan. Default filename is result.json. To create a baseline file, include --results-file. The new results only include flaws not listed in the baseline file. |
--fail-on-cwe | Comma-separated list of CWE IDs. The scan results only include flaws of the specified CWEs. |
--fail-on-severity | Comma-separated list of severities. The results only include flaws of the specified severities. By default, all severities are included. Values are Very High, High, Medium, Low, and Very Low. |
--development-stage | Development stage when the scan runs. Values are case-sensitive: Development, Testing, Release |
-h, --help | Help documentation. |
--gl-issue-generation | Enter true to create GitLab issues from discovered flaws. Default is false. Before you can use this flag, you must configure GitLab. |
--gl-vulnerability-generation | Enter true to create a JSON file from the scan results. GitLab automatically imports the flaws from the JSON file as vulnerabilities. Default is false. To use this flag, you must define the paths and reports settings in the GitLab CI. |
--include | Enter a case-sensitive, comma-separated list of name patterns that represent the names of the modules to scan as top-level modules. Veracode identifies these modules during prescan. The * wildcard matches zero or more characters. The ? wildcard matches exactly one character. For example, to include various module names that contain module: --include "module 1, module-*, module2.jar"The scan results show the names of the modules that Veracode identified and the modules included in the scan. This flag does not pause, stop, or impact the performance of your pipeline. |
--policy-file | Name of a local policy file you want to apply to the scan results. To download a policy, use the policy command. |
--project-name | Name of the CI/CD repository running a scan. This flag adds the repository name to the scan results, which can help track scans across repositories. |
--project-ref | Source control reference, revision, or branch of the CI/CD repository running a scan. |
--project-url | URL of the CI/CD repository running a scan. |
--results-file | Filename or location to save the scan results as a JSON file. By default, the results are saved to ./results.json. |
--summary-output | Filename or location to save the scan results as a human-readable file. This file is not saved by default. |
Examples
To scan a Java JAR file and output flaws to results.json, run:
veracode static scan my_java_application/build/project.jar
To scan a Python ZIP file and filter the results by severity and CWE ID, run:
veracode static scan my-python-project.zip --fail-on-cwe "89,117" --fail-on-severity "Very High, High"
To scan a Java class file but only include results not included in a baseline file, run:
veracode static scan my_java_application/build/IgnoreCommand.class --baseline-file "baseline-results.json"
To create a baseline file and use it in a subsequent scan, run:
veracode static scan example.jar --results-file "baseline.json"
veracode static scan example.jar --baseline-file "baseline.json"
To scan a Python ZIP file and apply policy Veracode Recommended High, run:
veracode static scan my-python-project.zip --policy-file "Veracode Recommended High.json"